Willie Sutton purportedly answered a reporter's question about why he robbed banks, by saying, "because that's where the money is." This then formed the basis for the medical doctrine of Sutton's Law: when diagnosing, one should first consider the obvious.

Both truisms were recently verified by HSBC Finance Corporation's recent alert to mortgage customers that it experienced a data breach in late 2014 and early 2015 that revealed the personal information of some individuals. As reported by The Hill, the exposed data included Social Security numbers, account numbers, some old account information and, in some cases, phone numbers.

The unauthorized access apparently began sometime late last year and was discovered in March, when it was addressed and state regulators and those impacted by the breach were notified. Per The Hill, the breach affected 10 HSBC Finance subsidiaries in at least four states. The stolen data was also “inadvertently made accessible” online.

As more thoroughly analyzed and discussed in The Art of (Cyber) War: Cybersecurity Tactics for All Financial Institutions, as financial institutions of every type and size – national, regional and community banks, thrifts, mutuaIs, credit unions, and non-bank lenders – increase their collection of personal information from their customers and employees, they become larger targets for a data privacy incident. And, as "Cyber-Willie Suttons" will demonstrate, breaches can have a devastating effect to the bottom line of an organization and to its reputation. Moreover, consistent with Sutton's Law, in today’s rapidly changing technological age, with personal, financial, and health information stored on devices, the Internet, and in the cloud, cyber and data security controls and programs are critical.